diff --git a/.githooks/pre-commit b/.githooks/pre-commit new file mode 100755 index 0000000..25e5074 --- /dev/null +++ b/.githooks/pre-commit @@ -0,0 +1,48 @@ +#!/bin/sh +echo "Running Gitleaks pre-commit scan on staged changes (Server Settings)..." + +mkdir -p .gitleaks_out +touch .gitleaks_out/gitleaks-precommit.json + +# Prefer local gitleaks if available, fallback to Docker +if command -v gitleaks >/dev/null 2>&1; then + echo "โšก Using local gitleaks binary" + SCAN_CMD="gitleaks detect \ + --pipe \ + --config=gitleaks.toml \ + --report-format=json \ + --report-path=.gitleaks_out/gitleaks-precommit.json \ + --no-banner" +else + echo "Local gitleaks not found, using Docker fallback" + SCAN_CMD="docker run --rm -i -v \"$(pwd)\":/repo ghcr.io/gitleaks/gitleaks:v8.28.0 detect \ + --pipe \ + --config=/repo/gitleaks.toml \ + --report-format=json \ + --report-path=/repo/.gitleaks_out/gitleaks-precommit.json \ + --no-banner" +fi + +# Run scan on staged diff only +git diff --cached --unified=0 --no-color \ + | grep '^+' \ + | grep -v '^+++' \ + | sh -c "$SCAN_CMD" +status=$? +if [ $status -ne 0 ]; then + echo "Possible secrets detected in staged changes!" + echo " See .gitleaks_out/gitleaks-precommit.json for details." + echo "" + echo "Commit aborted." + echo "" + echo "Reminder: Do NOT bypass with 'git commit --no-verify'." + echo "CI will still block your PR even if you bypass locally." + echo "" + echo "If this secret is actually required in the repo (false positive or approved usage)," + echo "you MUST meet with the CTO / Team Lead / DevOps to approve" + echo "and add it to the gitleaks ignore list." + exit 1 +fi + +echo "No secrets found. Commit allowed." +exit 0 \ No newline at end of file diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml new file mode 100644 index 0000000..0d4fdca --- /dev/null +++ b/.github/workflows/security.yml @@ -0,0 +1,18 @@ +name: Security Scan + +on: + pull_request: + branches: + - Dev + - dev-1 + push: + branches: + - Dev + - dev-1 + +jobs: + gitleaks: + name: Run Gitleaks Scan + uses: peer-network/peer_global_security/.github/workflows/gitleaks.yml@main + with: + config: gitleaks.toml diff --git a/.gitignore b/.gitignore index 0b6f480..94927f0 100644 --- a/.gitignore +++ b/.gitignore @@ -3,4 +3,5 @@ secrets.auto.tfvars clouds.yaml *.tfstate peer_network.yaml -terraform.tfstate* \ No newline at end of file +terraform.tfstate* +.gitleaks_out/ \ No newline at end of file diff --git a/README_gitleaks.md b/README_gitleaks.md new file mode 100644 index 0000000..48b852a --- /dev/null +++ b/README_gitleaks.md @@ -0,0 +1,73 @@ +# ๐Ÿ”’ Gitleaks Pre-Commit Hook (Sever Settings) + +This repository uses **[Gitleaks](https://github.com/gitleaks/gitleaks)** to prevent secrets (API keys, passwords, tokens, etc.) from being committed. + +--- + +## ๐Ÿš€ Setup + +Run the setup script once: + +```bash +chmod +x setup-hooks.sh +./setup-hooks.sh +``` + +This will: + +- Configure Git to use .githooks/ as the hooks directory. +- Make .githooks/pre-commit executable. +- Ensure gitleaks is installed (v8.28.0). + +If missing, the script will download the correct binary for your OS/architecture. + +Confirm the hook is ready. + +๐Ÿ›ก๏ธ Pre-Commit Scan +On every git commit, the hook will: + +- Run a Gitleaks scan on staged changes only. +- Block the commit if potential secrets are detected. +- Write results to .gitleaks_out/gitleaks-precommit.json. + +If a commit is blocked: + +- Check .gitleaks_out/gitleaks-precommit.json for details. +- Remove or mask the secret before retrying. + +Do not bypass with git commit --no-verify โ€” CI will still block your PR. + +--- + +### + +Docker Fallback + +If a local Gitleaks binary is missing, the pre-commit hook will fall back to Docker: + +docker run --rm -i -v "$(pwd)":/repo ghcr.io/gitleaks/gitleaks:v8.28.0 detect ... + +--- + +### +โœ… Verifying Installation +To check that everything is set up correctly: + +``` +gitleaks version +``` +# should print: 8.28.0 + +--- + +### +๐Ÿงน Ignore False Positives +If Gitleaks flags something that is not a real secret: + +Talk to your Team Lead / DevOps. + +They can add an exception to gitleaks.toml. + +With this setup, secrets are scanned locally before every commit and again in CI, ensuring strong security across the repo. ๐Ÿ” + +Gitleaks is set ๐Ÿš€ \ No newline at end of file diff --git a/gitleaks.toml b/gitleaks.toml new file mode 100644 index 0000000..5b20324 --- /dev/null +++ b/gitleaks.toml @@ -0,0 +1,44 @@ +title = "Peer Server Settings Gitleaks Config" + +[[rules]] +id = "infra-catch-common-secrets" +description = "Catch common infrastructure secrets (Terraform, Grafana, Loki, Prometheus, SSH, API keys)" +regex = '''(?i)(ghp_[0-9A-Za-z]{36}|github_pat_[0-9A-Za-z_]{20,}|glpat-[0-9A-Za-z\-_]{20}|AKIA[0-9A-Z]{16}|ASIA[0-9A-Z]{16}|[A-Za-z0-9]{20,}:[A-Za-z0-9+/]{40,}|eyJ[A-Za-z0-9_-]+\.[A-Za-z0-9._-]+\.[A-Za-z0-9._-]+|-----BEGIN( RSA| DSA| EC| OPENSSH)? PRIVATE KEY-----|token\s*=\s*["'][A-Za-z0-9_\-]{10,}["']|password\s*=\s*["'][^"']{6,}["'])''' +tags = ["key", "secret", "terraform", "infrastructure"] + +[[rules]] +id = "infra-entropy-catch-all" +description = "Catch high-entropy strings for unknown secrets (Terraform, YAML, JSON, env)" +regex = '''[A-Za-z0-9\+=!@#$%^&*._-]{30,}''' +entropy = 4.0 +tags = ["key", "secret", "terraform", "infrastructure"] + +[[rules]] +id = "grafana-api-tokens" +description = "Detect Grafana, Loki, or Prometheus API tokens" +regex = '''(?i)(grafana[_-]api[_-]?key\s*[:=]\s*["']?[A-Za-z0-9_-]{20,}|bearer\s+[A-Za-z0-9\-_]{20,})''' +tags = ["grafana", "api", "key"] + +[[rules]] +id = "terraform-provider-secrets" +description = "Catch potential provider secrets in Terraform (.tf) files" +regex = '''(?i)(access[_-]?key\s*=\s*["'][A-Za-z0-9/+=]{16,}["']|secret[_-]?key\s*=\s*["'][A-Za-z0-9/+=]{32,}["']|client[_-]?secret\s*=\s*["'][A-Za-z0-9/+=]{20,}["'])''' +tags = ["terraform", "provider", "key"] + +[pathDenylist] +description = "Exclude irrelevant or generated files" +regexes = [ + '''^\.terraform/.*''', + '''^\.terraform\.lock\.hcl$''', + '''^terraform\.tfstate.*$''', + '''^node_modules/.*''', + '''^__pycache__/.*''', + '''^\.venv/.*''', + '''^dist/.*''', + '''^build/.*''', + '''^coverage/.*''', + '''^\.github/workflows/.*''', + '''^logs?/.*''', + '''^tmp/.*''', + '''^\.env.*$''' +] diff --git a/setup-hooks.sh b/setup-hooks.sh new file mode 100755 index 0000000..8eadbef --- /dev/null +++ b/setup-hooks.sh @@ -0,0 +1,52 @@ +#!/bin/sh +set -e + +echo "Setting up Git hooks..." + +# Point Git to .githooks directory +git config core.hooksPath .githooks + +# Ensure pre-commit is executable +chmod +x .githooks/pre-commit + +echo "Git hooks installed. Pre-commit scan will now run automatically." + +# Check if gitleaks is installed +if command -v gitleaks >/dev/null 2>&1; then + echo "โšก Gitleaks already installed: $(gitleaks version)" + exit 0 +fi + +# Install Gitleaks if missing +VERSION="8.28.0" +OS=$(uname -s | tr '[:upper:]' '[:lower:]') +ARCH=$(uname -m) + +echo "Installing Gitleaks v$VERSION for $OS-$ARCH..." + +case "$OS-$ARCH" in + linux-x86_64) + URL="https://github.com/gitleaks/gitleaks/releases/download/v$VERSION/gitleaks_${VERSION}_linux_x64.tar.gz" + ;; + linux-aarch64) + URL="https://github.com/gitleaks/gitleaks/releases/download/v$VERSION/gitleaks_${VERSION}_linux_arm64.tar.gz" + ;; + darwin-arm64) + URL="https://github.com/gitleaks/gitleaks/releases/download/v$VERSION/gitleaks_${VERSION}_darwin_arm64.tar.gz" + ;; + darwin-x86_64) + URL="https://github.com/gitleaks/gitleaks/releases/download/v$VERSION/gitleaks_${VERSION}_darwin_x64.tar.gz" + ;; + *) + echo "Unsupported OS/Arch ($OS-$ARCH). Please install manually:" + echo "https://github.com/gitleaks/gitleaks/releases/tag/v$VERSION" + exit 1 + ;; +esac + +curl -sSL "$URL" -o gitleaks.tar.gz +tar -xvzf gitleaks.tar.gz gitleaks +sudo mv gitleaks /usr/local/bin/ +rm -f gitleaks.tar.gz + +echo "Installed Gitleaks v$(gitleaks version)" \ No newline at end of file